CVE-2011-3192

Publication date 29 August 2011

Last updated 24 July 2024

Ubuntu priority

Description

The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
apache2	11.04 natty	Fixed 2.2.17-1ubuntu1.2
	10.10 maverick	Fixed 2.2.16-1ubuntu3.3
	10.04 LTS lucid	Fixed 2.2.14-5ubuntu8.6
	8.04 LTS hardy	Fixed 2.2.8-1ubuntu0.21

Notes

jdstrand

regression on streaming videos from apache in Debian Bug #639825

sbeattie

am unable to reproduce the streaming videos regression with mplayer from oneiric/amd64, natty/amd64, maverick/i386 and hardy/amd64 against a maverick/i386 server with the pending apache update installed.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
apache2	Vendor: http://www.debian.org/security/2011/dsa-2298 Debian: http://anonscm.debian.org/viewvc/pkg-apache/trunk/apache2/patches/083_CVE-2011-3192.dpatch?view=markup

References

Related Ubuntu Security Notices (USN)

USN-1199-1
Apache vulnerability
1 September 2011